The invention relates to on-line fraud analysis and fraud prevention.
Credit card transactions are utilized in a variety of environments. In a conventional shopping environment, a user provides a merchant with a credit card during check-out, and the merchant through various means (such as through a driver's license or other picture identification cards) verifies that the card actually belongs to the user.
In another environment, due to the widespread adoption of electronic commerce (eCommerce), more merchants, institutions, and/or government agencies are putting products/services on their websites for customers to purchase online. In addition to physical products, the Internet is used to sell non-physical products such as software and content or related information and/or service over the Internet. Products such as Internet calling, online gaming, digital contents such as music and movie, online advertising, online information provisioning, for example, are sold as a privilege to obtain information or to consume service, or to consume a virtual experience such as gaming. In these types of transactions, the “shipping” of the product simply transmits information and/or usage credit to an email address, a user account with the merchant, or any suitable mechanism to make the product/service available to the purchaser.
Typically, a customer selects a number of products/services from an online catalog into a shopping cart. During check-out, the customer provides payment information such as credit card, debit card, PayPal account, for example, and shipping information to the merchant. The shipping information can be provided directly in the form of a physical address or indirectly in the form of an email address, or a user identification (UserID) from which the merchant can obtain the address.
Due to the anonymity of online customers and increased activities of online identity theft, online purchases represent a big risk for merchants. Unlike conventional purchases where customers are physically present for their purchases, online purchases can be made by people who don't own the credit card/debit card they use.
To counter fraudulent transactions, the credit card industry devised two verification procedures: Extra Security Check (ESC) and Address Verification Service (AVS). ESC is a mechanism that prints an extra verification code on using credit cards online. In evaluating online purchases, those who enter the correct verification code are considered to be safe, and their transactions are approved. PayPal has a similar mechanism “verified PayPal account” that PayPal gives high priority of transaction approval in evaluating online purchases. The drawback of ESC is the overhead associate with implementing such extra verification code. Additionally, organized hackers who can hack the credit card database would actually have access to the root information needed to execute extra verification process, thus rendering ESC meaningless.
AVS is designed to detect fraud by comparing the various addresses such as card owner's address, shipping address, mailing address, billing address a customer entered online with addresses stored in the database of credit card issuers. If they match the transaction is more likely to be authentic. AVS is another type of “extra security check” that can inevitably be hacked in the root; and can be too “shallow” to overcome hackers who can hack the entire database. In addition, AVS is often not available for international cards. AVS is not useful for checking the purchase of non-physical goods because the goods are not shipped to the buyer's physical address.
The ESC and AVS systems work well in a credit card transaction in which either the customer has a face-to-face meeting with the merchant or the merchant is actually shipping a package or the like to the address of a customer. The verification procedure typically includes receiving at the AVS system address information and identity information. However, for online service providers or merchants, address and identity information are generally insufficient to verify that the purchaser is actually the owner of the credit card. Many fraudulent transactions pass the strictest security measures such as “verified account” or “verified cards,” but, in many occasions, the information on the credit/debit cards/any credit accounts has been “completely” stolen so the thieves can easily pass any security check imposed on the cards.
For the foregoing reasons, many online purchases are fraudulent, and these fraudulent transactions can only be detected months later when the merchant receives charge back requests well after the thieves have consumed the service at the expense of the merchant. Worst of all, the actual owners of the cards cast suspicion on the merchant as the potential thief who stole their credit information for creating fraudulent transactions that benefit the merchant.
Since arrangements between credit card issuers and merchants typically place liability directly on merchants when online fraudulent transactions take place, these merchants suffer loss of customer (or at least customer goodwill), incur charge-back fees from the credit card issuers, and may even loose their online payment privilege.